Attacker is able to determine if the provided username exists (and its valid) using Request New Password feature, based on the response time.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Otrs | Otrs | 7.0.0 (including) | 7.0.35 (excluding) |
Otrs | Otrs | 8.0.0 (including) | 8.0.23 (excluding) |